Segregation Rules
Device isolation and placement rules for compliance, security, and multi-tenancy requirements.
Segregation rules are accessed from the device list page. Navigate to Virtual Datacenter > All Devices and click the Segregation rules button.
Overview
Segregation rules allow you to define network isolation policies between virtual machines. You can create rules that either connect or separate devices, controlling how VMs interact at the infrastructure level. Rules are organized by cloud or hypervisor and enforced automatically during VM placement.
Rule Types
There are two types of segregation rules:
| Type | Description |
|---|---|
| Connect | Ensures the specified VMs are placed together and can communicate with each other. |
| Separate | Ensures the specified VMs are isolated from each other and placed on separate infrastructure. |
Managing Segregation Rules
Creating a Rule
Open segregation rules
Navigate to Virtual Datacenter > All Devices and click the Segregation rules button in the device list header.
Select the cloud
If you have multiple clouds or hypervisors, select the appropriate one from the tabs at the top.
Create a new rule
Click Create Rule. Provide a name, description, select the rule type (Connect or Separate), and choose the devices to include.
Viewing and Filtering Rules
The rules list can be filtered by type using the tabs: All rules, Connect, or Separate. Use the search field to find rules by name, description, or device name.
Editing and Deleting Rules
Click a rule to edit its name, description, or device assignments. Rules with a "Provisioning" status cannot be edited until provisioning completes. To remove a rule, click the delete button and confirm in the dialog.
Strict segregation rules may limit available placement options and can prevent VM creation if insufficient isolated resources exist. Ensure your infrastructure has adequate capacity to support the desired isolation policies.
Use Cases
| Use Case | Description | Rule Configuration |
|---|---|---|
| Regulatory compliance | Financial or healthcare regulations requiring physical separation of workloads from different entities. | Host-level isolation between regulated and non-regulated organizations. |
| Multi-tenancy isolation | Reseller partners ensuring that customer workloads are physically separated for security or contractual reasons. | Host-level isolation between specified customer organizations. |
| Data sovereignty | Ensuring that data from specific jurisdictions remains on dedicated infrastructure within the required geography. | Segregation rules combined with location-specific resource pools. |
| Security classification | Separating workloads with different security classifications (e.g., production vs. development, classified vs. unclassified). | Group-level segregation between security zones. |
Segregation rules are typically configured by platform administrators or reseller partners. End customers should contact their provider if they require device isolation policies.